Same thing - you just extract public key from the certificate and use it to
verify signature. You don't need TPM to validate signature and you don't even
need TSS - everything can be done in OpenSSL. The key thing to keep in mind is
that "verify" == "decrypt_with_public_key" . Here is working example:
gboolean
ak_crypto_verify_sha1_with_rsa (RSA *rsa, gpointer data, gsize data_len,
gpointer sig, gsize sig_len)
{
g_return_val_if_fail (rsa != NULL, FALSE);
g_return_val_if_fail (data != NULL, FALSE);
g_return_val_if_fail (data_len > 0, FALSE);
g_return_val_if_fail (sig != NULL, FALSE);
g_return_val_if_fail (sig_len == 256, FALSE);
gboolean ret = FALSE;
gsize msg_buf_size = 512;
gchar msg_buf[msg_buf_size];
/* calculated digest of the provided data */
guint8 digest_info_der[35] = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
SHA1 (data, data_len, &digest_info_der[15]);
/* decrypt signature and remove PKCS#1 v1.5 padding */
guint8 digest[256];
gsize digest_size = RSA_public_decrypt (sig_len, sig, digest, rsa,
RSA_PKCS1_PADDING);
if (digest_size == -1) {
ERR_error_string_n (ERR_get_error (), msg_buf, sizeof (msg_buf));
g_critical (G_STRLOC ": %s", msg_buf);
goto done;
}
if (digest_size == sizeof(digest_info_der) && memcmp (digest_info_der, digest,
digest_size) == 0) {
ret = TRUE;
}
done:
return ret;
}
----- Original Message -----
> From: "eye two are" <[email protected]>
> To: "David Challener" <[email protected]>
> Cc: "Ken Goldman" <[email protected]>,
> [email protected]
> Sent: Thursday, March 10, 2016 11:27:30 PM
> Subject: Re: [TrouSerS-users] Verifying a signature using public key
> from X509 certificate
> I am not trying to verify the certificate though. I am trying to
> verify a message that was signed using the tpm with the private key
> generated for the certificate. Is that possible? If so what are the
> steps required to verify the message using the certificate?
> On Wed, Mar 9, 2016 at 11:19 AM, David Challener <
> [email protected] > wrote:
> > Actually TPM 1.2 *does* verify signatures - but it requires owner
> > auth. You use one of those CMK commands to do it.
>
> > And you *can* load in the public key without loading in the private
> > key to do it. I have some code around somewhere... I will try to
> > find it tomorrow....
>
> > On Tue, Mar 8, 2016 at 6:29 PM, Tadd Seiff < [email protected] >
> > wrote:
>
> > > TPM 1.2 doesn't verify signatures, but TSS 1.2 does.
> >
>
> > > Trousers does all of the verification in software via openssl,
> > > it's
> > > not using the hardware, so this does make sense.
> >
>
> > > That said, do you even need to load the key? Maybe you can just
> > > leverage the software? As long as the key you are using meets the
> > > PKCSv1.5 criteria.
> >
>
> > > To address why your key won't load: I'm not sure you can just
> > > arbitrarily create keys and load them, the key must be in the SRK
> > > hierarchy. In other words, the TPM creates keys and TELLS YOU the
> > > RSA pub key, no the other way around.
> >
>
> > > -Tadd
> >
>
> > > On Tue, Mar 8, 2016 at 2:43 PM Ken Goldman < [email protected]
> > > >
> > > wrote:
> >
>
> > > > On 3/8/2016 3:24 AM, eye two are wrote:
> > >
> >
>
> > > > > I am trying to verify a signature using a public key from an
> > > > > X509
> > >
> >
>
> > > > > certificate generated with the tpm engine.
> > >
> >
>
> > > > >
> > >
> >
>
> > > > I'm not a trousers expert, but I will note that:
> > >
> >
>
> > > > 1 - TPM 1.2 cannot do signature verification.
> > >
> >
>
> > > > 2- With TPM 1.2, one cannot load a key unless you have both the
> > > > public
> > >
> >
>
> > > > and (wrapped) private part.
> > >
> >
>
> > > > Could #2 be related to your problem?
> > >
> >
>
> > > > ------------------------------------------------------------------------------
> > >
> >
>
> > > > Transform Data into Opportunity.
> > >
> >
>
> > > > Accelerate data analysis in your applications with
> > >
> >
>
> > > > Intel Data Analytics Acceleration Library.
> > >
> >
>
> > > > Click to learn more.
> > >
> >
>
> > > > http://makebettercode.com/inteldaal-eval
> > >
> >
>
> > > > _______________________________________________
> > >
> >
>
> > > > TrouSerS-users mailing list
> > >
> >
>
> > > > [email protected]
> > >
> >
>
> > > > https://lists.sourceforge.net/lists/listinfo/trousers-users
> > >
> >
>
> > > ------------------------------------------------------------------------------
> >
>
> > > Transform Data into Opportunity.
> >
>
> > > Accelerate data analysis in your applications with
> >
>
> > > Intel Data Analytics Acceleration Library.
> >
>
> > > Click to learn more.
> >
>
> > > http://makebettercode.com/inteldaal-eval
> >
>
> > > _______________________________________________
> >
>
> > > TrouSerS-users mailing list
> >
>
> > > [email protected]
> >
>
> > > https://lists.sourceforge.net/lists/listinfo/trousers-users
> >
>
> > ------------------------------------------------------------------------------
>
> > Transform Data into Opportunity.
>
> > Accelerate data analysis in your applications with
>
> > Intel Data Analytics Acceleration Library.
>
> > Click to learn more.
>
> > http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
>
> > _______________________________________________
>
> > TrouSerS-users mailing list
>
> > [email protected]
>
> > https://lists.sourceforge.net/lists/listinfo/trousers-users
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
